The results of each API call made to the winsock.dll, (wsock32.dll or Ws2_32.dll for 32-bit
systems), is captured and displayed to the Spy Window as they occur. Each
captured API call contains the arguments passed to the dll as well as any
data or error returned as a result of the call. Data transferred through
a socket via the recv(), recvfrom(), send(), or sendto() calls may be captured
and displayed in its entirety.

Each captured API reference may be displayed in a single-line format or
expanded, (Verbose), to display additional argument/return values. SocktSpy
may also be configured to only display actual data blocks transferred
through a socket between applications, (Data Only Mode).

A filter specification may be applied to SocktSpy to selectively capture
particular API commands and/or status return values. Data capture may also
be restricted to those API calls associated with a designated socket number.

Trace records are maintained in a circular buffer, with newly captured data
replacing older data as a monitoring session progresses. SocktSpy
maintains a separate and distinct set of trace buffers for trapping
communications events based on the occurrence of a defined logic trigger.
The trigger may be associated with a given API call, error return value, or
byte pattern contained in a send/recv data block.

During an active monitoring session, captured API records are compared against
the defined trigger, and if a match occurs, trace records are moved from the
normal capture buffer to the trap buffer and the trigger is disabled. The
trap buffer may be configured to represent the data records immediately prior
to the trigger, immediately after the trigger, or surrounding the trigger.